Zeus Criminals Launch DDoS Attacks to Hide Fraudulent Wire Transfers

FBI warned of a new spear-phishing campaign that tricks users into downloading Zeus malware and then looting their bank accounts. The criminals also launch DDoS attacks on banks.

The Federal Bureau of
Investigation has warned of an elaborate spear-phishing campaign that wires
money out of victims' accounts under the cover of a distributed denial-of-service
attack against the bank.
The new spear-phishing
campaign masquerades as emails from the National Automated Clearing House
Assocation (NACHA) and downloads a variant of the Zeus banking Trojan onto the
victim's computer, the
FBI Denver Cyber Squad said in its warning issued Nov. 23.

The malware steals the
user's online banking credentials and launches a DDoS attack on the financial
institution to hide the fact that it is also transferring money out of user
accounts. The DDoS attacks may also make it difficult for the financial
institution to stop or reverse the transfers even if they are detected in time.

The email informs the
recipient that there was a problem with a transaction at their bank and it was
not processed. By clicking on the link in the email, the recipient is directed
to a Website that downloads the Zeus variant called "Gameover" to the
recipient's computer, the FBI warned. Gameover is capable of keylogging to
steal banking credentials as well as defeating several forms of two-factor
authentication mechanisms the banks may be employing.
The new spear-phishing
campaign involves "personal and business bank accounts, financial
institutions, money mules and jewelry stores," according to the warning.
Attackers are becoming
increasingly smart and stealthy in their DDoS methods, Mike Paquette, chief
strategy officer at Corero Network Security, told eWEEK. While a brute-force or flooding type of DDoS attack can be
relatively easy to identify, it requires high-performance and sophisticated
real-time analysis to recognize and block attack traffic while simultaneously
allowing legitimate traffic to pass, according to Paquette.
Application layer attacks,
such as the one posed by the recent Apache Killer, are "more
insidious" and require the financial institution to have a thorough
understanding of the typical behaviors and actions of their actual customers,
he said.
Paquette suggested that
financial institutions should automate DDoS defense to create user profiles to
identify suspicious traffic, much in the same way automated credit card fraud-detection
technologies look for unusual spending activity.
A portion of the wire
transfers is being transmitted directly to high-end jewelry stores, according
to the warning. The criminals contact a jeweler looking for precious stones and
luxury watches. They promise to wire the money directly to the jeweler's
account and someone will come to pick up the merchandise.
Once the fraudulent wire
transfers are complete, a money mule comes to the actual store to pick up
thousands of dollars of goods, the FBI said. Even though the transaction is
reversed when the fraud is discovered, the jeweler is unable to recover the
goods.
DDoS attacks against
high-profile targets are generally perpetuated by intelligent, determined and
persistent adversaries, and this "new breed" of attackers will switch
to different sources and methods as necessary, Paquette said. Therefore,
advance preparation is key to being able to respond to these DDoS attacks
effectively, Paquette said. A response plan lists the steps the institution should
take during a DDoS attack.
Hiding malicious activity by
distracting the defenders with a DDoS attack is not new. The perpetrators who
breached Sony's PlayStation Network and Sony Online Entertainment services
earlier this year appear to have taken advantage of the fact that the
entertainment giant's IT staff was busy trying to contain the DDoS attacks that
had been launched by the Anonymous hacktivists.
Institutions shouldn't rely
on just the Internet service providers to be able to mitigate the DDoS attack,
but should deploy technology in-house to serve as the front-line defense
against both flooding type and application-layer DDoS attacks, according to
Paquette. DDoS mitigation tools need to be deployed alongside monitoring
services so that organizations can rapidly identify and react to sustained
attacks.
"Continuous and
automated monitoring is required in order to recognize an attack, sound the alarm
and initiate the response plan," Paquette said.